Juniper Issues Patches for Junos OS

Friday, July 15, 2016 @ 04:07 PM gHale


Juniper Networks fixed holes in the Junos operating system used on its networking and security appliances.

The most serious vulnerability, rated 9.8 in the Common Vulnerability Scoring System, is in the J-Web interface, which allows administrators to monitor, configure, troubleshoot and manage routers running Junos OS.

RELATED STORIES
Flaws in Free SSL Tool
Juniper Changes ScreenOS Firewalls
ICS Components Remain Connected to Internet
Ransomware Masked as Rockwell Update

The issue is an information leak that could allow unauthenticated users to gain administrative privileges to the device.

The flaw ended up fixed in Junos OS 12.1X46-D45, 12.1X46-D46, 12.1X46-D51, 12.1X47-D35, 12.3R12, 12.3X48-D25, 13.3R10, 13.3R9-S1, 14.1R7, 14.1X53-D35, 14.2R6, 15.1A2, 15.1F4, 15.1X49-D30 and 15.1R3.

In addition, a temporary workaround is to disable J-Web or to limit which IP addresses can access the interface.

The company also fixed vulnerabilities that can lead to denial of service (DoS) conditions. One of them can end up used to crash the kernel of a Junos OS device with a 64-bit architecture by sending a specially crafted UDP packet destined to an interface IP address of the device itself.

Another kernel crash can end up triggered with specially crafted ICMP packets sent to Junos OS devices configured with a GRE or IPIP tunnel. The attack requires knowledge of network-specific information.

High-End SRX-Series chassis, configured in either standalone or cluster mode, are susceptible to several DoS conditions if the in-transit traffic matches one or more ALG (application layer gateway) rules.

Another Junos patch fixes a potential networking data leak when source and destination MAC addresses of Ethernet frames with the EtherType field of IPv6 (0x86DD) flood into the VPLS instance.